Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 16th 2021


Auditing the AJAX endpoints revealed that some endpoints which perform state-changes do not have CSRF protection.

Proof of Concept

POST /lib/exe/ajax.php?call=draftdel&id=start 


This vulnerability is capable of tricking users to delete their own drafts.


Draftdel js

Draftdel backend

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a month ago
haxatron modified their report
a month ago
a month ago


Looks like the lock ajax endpoint doesn't seem to do much, let me investigate further

a month ago


I think the lock ajax endpoint does not seem to do much, so it does not seem it warrants CSRF protection

We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back a month ago
Andreas Gohr validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr confirmed that a fix has been merged on 242015 a month ago
Andreas Gohr has been awarded the fix bounty
edit.js#L210L215 has been validated
Ajax.php#L163L173 has been validated